Introduction to Cracking - (Part III)

This is an article on Introduction to Cracking - (Part III) in Ethical hacking Tips.

Summary of previous parts

In Part-I, and Part -II we saw Reflector can very accurately de-compile .NET apps and we also studies some basics of packing and obfuscation.
We saw that Reflector cannot directly de-obfuscate obfuscated assemblies, so we need external tools to de-obfuscate .NET assemblies. {smartkill} is one such tool that can de-obfuscate assemblies obfuscated by {smartassembly}.
Reflector can't also unpack/decrypt packed/crypted exes, so we need unpackers and decryptors. PEiD can identify huge array of packed and crypted exes, to make our lives easier.

Introduction

I think readers are starting to lose interest as I cover only theoretical aspects of cracking. So, in this part I will actually CRACK an app
As I have written only about .NET cracking till now, so I would crack a .NET app. We will cover other languages gradually.

NOTE FOR NEWBIES : Don't be afraid of seeing so much code. Your work is simple (as you will see when you read further). At max, you'll have to write about 10 lines of code.

(7) So, now we have enough information, about what's going on inside :
..(*) The check function checks if the entered key is valid.
..(*) If key is valid, it generates a serial and matches the entered serial with it.
Simple, isn't it ?

(8) So, what we do to crack this easily is.. we try to understand what the check function expects as a GOOD key. Lets's analyze :

OBSERVATION : Observe the Do...Loop While(num2 <= 9) loop inside the 'Try' block.
CONCLUSION : It ensures that, there are not repeated digits in the key. Thus, note that, the key consists only of DIGITS no alphabets.
OBSERVATION : Next move to the sequence of 'If' Checks. [ There are 8 'If's ]. If an 'If' is satisfied, num is increased by 1 ( 'cuz num += 1). At the end the function checks if num = 8.
CONCLUSION : So, ALL 'If's must be satisfied.

(9) Study the 'If's now. BTW, hover mouse over 'Substring' and 'Conversions' to know about them. See that, the author extracts the i'th character in the string str (which is the key), by using the command 'str.Substring(i-1, 1)'. So, 'str.Substring(1, 1)' would give the 2nd character in the key.
Note that, the author uses i = 9 at max because he uses 'str.Substring(8, 1)' at maximum.
So, we got a hint -- the author checks ONLY the first 9 chars of key.

(10) Now, what does he check ?? Note again that, 'Conversion.Int(c)' returns the digit contained in the character c. As the key consists only of digits, 'Conversion.Int(str.Substring(i-1, 1))' would return the i'th digit in the key.

(12) So we need a unique permutation of the digits 123456789 as the first 9 digits which satisfies above. Simple observation leads to a better representation of the above conditions [ as a MAGIC SQUARE ]

Sum of each Row, Column and Diagonal is 15. So, lets fill up the magic square.

(13) Representation of 15 as sum of 3 distinct natural numbers :

Code: Algorithm

..(*) Using 1 : 1 + 6 + 8 [ as 1 can be present in 2 different combinations, it must be, ]
1 + 5 + 9 [ at the mid-point of a side of the magic square ]
..(*) Using 2 : 2 + 6 + 7 [ as 2 can be present in 3 different combinations, it must be, ]
2 + 5 + 8 [ at a vertex of of the magic square ]
2 + 4 + 9
..(*) Using 3 : 3 + 5 + 7 [ as 3 can be present in 2 different combinations, it must be, ]
3 + 4 + 8 [ at the mid-point of a side of the magic square ]
..(*) Using 4 : 4 + 2 + 9 [ as 4 can be present in 3 different combinations, it must be, ]
4 + 3 + 8 [ at a vertex of of the magic square ]
4 + 5 + 6

We have enough hints now. So, we now have the magic square of the form: 2 x x
x x 1
4 3 x

Now we can fill up logically as follows:

Code: Algorithm

(*) 1 and 3 cannot be opposite to each other as they are not together in any combination.
(*) 4 should not be above or below 1 as they are not together in any combination.
(*) Mid-Left is obviously 9.
(*) Bottom-Right is obviously 8.

Now we have: 2 x x
9 x 1
4 3 8

Code: Algorithm

(*) Center is of course 5
(*) Top-Right is 6.
(*) Mid-Top is 7.

So finally we have the grid as: 2 7 6
9 5 1
4 3 8

So, the key corresponding to this is 276951438.
NOTE: All other keys can be formed by simply rotating and transposing.

(14) Now we know the valid keys. The getserial function can fetch us a valid serial for a key, so we don't need to be bothered about calculating a serial. We can just copy the getserial function (and the hash function, because getserial uses it) to VB.NET and can pass the keys as arguments to get the serials

(15) So, we are done ! We have just finished a keygen for w02057's Crackme
All the valid keys and serial combination are :